Would I be down-voted into oblivion if I advocated that Monero, the Bitcoin bullshit that seems to be supported entirely by using other people's computers for their own gain, be regulated into oblivion?

Would I be down-voted into oblivion if I advocated that Monero, the Bitcoin bullshit that seems to be supported entirely by using other people's computers for their own gain, be regulated into oblivion?

Or is there some redeeming value to it that makes that idea bad?

The only problem I can see with that idea is that it doesn't go far enough. Considering the amount of energy the various cryptocurrencies use, and how little value society actually gets for that energy, I'd be inclined to regulate all cryptocurrencies into oblivion.

Jebus they had it reported to them back in August and Docker did jack squat?

Docker has some splain'n to do.

Sure, but they're exactly no different from virtually every company out there. The average firm will threaten you if you point out some hole in their web site, etc. Heck even Intel and AMD both know their management processors are utterly pathetically broken and rather easily hackable, yet they do nothing. Its easy to go on and on.

At some point, there needs to start being liability, nothing else works except take people's money away from them. Then they pay attention!

On that note can someone explain Docker Hub and these images they are talking about.

Docker is a system that provides lightweight "containers". A container contains a bundle of an application binary, support libraries, and other such things, such that you can take a container and deploy it to bring the application up without needing to spin up a full VM, install the app and its dependencies, etc. Basically, it's a lightweight method of isolating applications from each other, kind of sort of like a cut down VMware. (Not really, but it's an analogy to give you a bit of an idea.)

A Docker image is basically such a container, all nice and neatly packaged for the user to grab and use rather than having to build it from the ground up. Think of it as being roughly equivalent to a virtual host image, but with less overhead. Docker Hub is a central place for storing such images - you're not obliged to grab pre-built images from there, but it's convenient to do so.

Wikipedia has a general overview of Docker if you want more information. You don't need to use Docker Hub to take advantage of Docker; it's just convenient. And we all know what they say about convenience versus security...

This simply blows my mind and I have to concur with another poster that the download numbers were artificially raised to bump them up the "trust == number of downloads" chain. As opposed to verifying the actual source.

Leaving aside the security implications of simply grabbing some random image - and Docker is still lacking in verification mechanisms here - you'd at least think people would limit their downloads to "Tomcat only from Apache" and "MySQL only from Oracle"?

The few images I've taken not from the original sources I've generally grabbed from Github to see what's in them.

I also agree with others: Docker has shown themselves to be untrustworthy with they lackadaisical attitude, meaning at this time blocking Hub is really the only secure approach, even for those images posted by somewhat trusted sources (eg. vendors).

The Kromtech blog is inaccurate: it claims that the screenshot showing 544.7xx Monero paid is an image of the originator's wallet. It is in fact a total of the amount paid by that particular mining pool to that address. The actual balance of that wallet could be many times that figure, depending on what transactions involving that wallet had been made and whether the wallet holder was active on other mining pools. If the wallet holder has used sub-addresses, the total wallet balance is further obscured.

The Monero blockchain is opaque by design, and without being given a viewkey it is (currently) impossible to check the balance of a wallet. Further, in contrast to Bitcoin, it is not possible to monitor that address and check when a withdrawal or any other transaction occurs.

On that note can someone explain Docker Hub and these images they are talking about.

I am no expert but, Imagine you want to create, let's say, a GitLab instance in a new server or vm or whatever you have.

You can just install Docker and then do (just for explaining purposes):docker run --name gitlab gitlab/gitlab-ce:9.1.0-ce.0

Which will connect to Dockerhub and download an image of a Gitlab "VM" already configured. In this case the "gitlab" before the dash (/) means the user, which makes this command a "get" from the official repository.

The awesome thing about dockers is how easy is to configure them, how escalable they are and how few resources they end up using.

Just as an example so you can get a better grasp, a full command to start Gitlab would be:• docker run --name gitlab --hostname server.example.com --publish 30080:30080 --publish 30022:22 --env GITLAB_OMNIBUS_CONFIG="external_url 'http://polaris.example.com:30080'; gitlab_rails['gitlab_shell_ssh_port']=30022;" gitlab/gitlab-ce:9.1.0-ce.0

This will get the Gitlab version 9.1.0-ce.0, download it and start it with the following parameters:- name> a name so you can identify your dockers when doing a listing ([sudo] docker ps)- hostname> that will affect GitLab configuration and set that as the hostname- publish> host port:docker port ; I believe this one is self-explained- env> Overwrite/set a system variable; In this case is to force those parameters with the first boot which equals installation

Again, no expert, but I've been working with dockers for a few months; hopefully this is clear enough.

Would I be down-voted into oblivion if I advocated that Monero, the Bitcoin bullshit that seems to be supported entirely by using other people's computers for their own gain, be regulated into oblivion?

Or is there some redeeming value to it that makes that idea bad?

Monero is essentially an encryption protocol for sending information (usually tokens) from one place to another. Your point that it's used for bad stuff is valid, but I'm a bit disappointed to see that so many ars readers think that the government banning/regulating encryption is a good way to deal with it being used for bad stuff.

It's the same argument the FBI is making for regulating and banning other encryption protocols. Sure, it's a different kind of encryption, but the issues with your preferred solution are the same:- Banning it will be completely ineffective at preventing illegitimate use- On the other hand, banning it will almost definitely prevent legitimate use

I was into the second paragraph before I realized it wasn't talking about visual images. Maybe the word 'software' would be more to the point than 'images', at least in the headline and before Docker Hub is explained.

I don’t see any explanation of how the host filesystem was mounted into the containers. Did the victims really add ‘-v /:/mnt’ to the docker command line to explicitly mount the root filesystem into a container of unknown origin? I can’t imagine anyone who understands how docker works blindly running an image configured like that. Maybe they ran a malicious shell script that started the container?

Edit: It looks like the attackers used unprotected management interfaces to start the containers. Once the attacker had access to start a container, they probably had access to configure an additional registry to download malware images from. In related news, running ssh configured to allow root to log in with a weak password will let people run malware on your server.

I was into the second paragraph before I realized it wasn't talking about visual images. Maybe the word 'software' would be more to the point than 'images', at least in the headline and before Docker Hub is explained.

Well, they are basically an image of a configured, working OS with some function.

Maybe we'd need another word for that in IT but snapshot still haven't got the media's attention.

Honestly, can convince my brain to think in any other way as "OS images, disk images, hard drive images" and so on...

so Docker hub (like all the other repo's npm, rubygems, nuget, Maven central etc) don't curate content (although in Docker hub's case they do provide "official" images which are reviewed)

Anyone can upload anything to Docker hub. that doesn't mean anyone will actually pull and use the container image.

This is the same way as you can upload "malware" to npm. I've got repo's on there with eicar and Metasploit payloads that have been there for years.

You can't accidentally pull and run an image, you have to actually specify that username and image and they didn't seem to be trying to typosquat official repo's.

There have been cases on other package repo's of typosquatting and also backdoors being inserted into packages via compromise of developer creds.

My guess (and indeed the original article suggested this) would be that these images were used as part of other attacks (for example compromising exposed kubernetes clusters).

If we want to have a more interesting story, we could discuss why a large percentage of todays software is based on libraries that have never had a security review , and where the users have no idea who the authors were or whether they practice good OpSec, to prevent attackers compromising their repo. accounts.

Would I be down-voted into oblivion if I advocated that Monero, the Bitcoin bullshit that seems to be supported entirely by using other people's computers for their own gain, be regulated into oblivion?

Or is there some redeeming value to it that makes that idea bad?

Monero is essentially an encryption protocol for sending information (usually tokens) from one place to another. Your point that it's used for bad stuff is valid, but I'm a bit disappointed to see that so many ars readers think that the government banning/regulating encryption is a good way to deal with it being used for bad stuff.

It's the same argument the FBI is making for regulating and banning other encryption protocols. Sure, it's a different kind of encryption, but the issues with your preferred solution are the same:- Banning it will be completely ineffective at preventing illegitimate use- On the other hand, banning it will almost definitely prevent legitimate use

As a currency, banning it for legitimate use will very likely make it near worthless for illegitimate use.

OTOH, in-the-wild attacks are the only way the world will be stimulated to improve computer security, and I'd rather the attacker mine Monero than cryptolocking my computer or a country installing rootkits on millions of home routers. If laws allowed white hats to do prank hacking, we'd all be a lot more secure by now.

On that note can someone explain Docker Hub and these images they are talking about.

So Docker hub is a repository (the main public one) for Docker images. The images are essentially packaged software used by containerization systems like Docker. One analogy for Docker hub is like a mobile phone app. store and the Docker images are like the apps in the store.

Basically a Dockerfile is used to generate the image, the dockerfile is kind of like a bash script which builds up an environment for a piece of software to operate in.

Then the image can be deployed onto a host isolated from the rest of the system. On linux you can either rely on Linux OS security for the isolation (e.g. namespaces, capabilitities, cgroups) or you can use something like katacontainers, which uses an VM style isolation.

On Windows, you can use job objects for isolation or use Hyper-V to provide VM class isolation.

Yeah, I too was confused by "images" in the headline and subhead. I was afraid there was some weird steganography-malware shenanigans going on with the perfectly normal shoes/casual khakis photo collection I've been amassing.

I don’t see any explanation of how the host filesystem was mounted into the containers. Did the victims really add ‘-v /:/mnt’ to the docker command line to explicitly mount the root filesystem into a container of unknown origin? I can’t imagine anyone who understands how docker works blindly running an image configured like that. Maybe they ran a malicious shell script that started the container?

A side effect of the additional ease of use provided by containers like docker, as opposed to more complete emulation like VirtualBox is that it's really not necessary for people to understand them to use them.

To share my entire HDD with VirtualBox I need to create an appropriate network share using some application, set up the networking suitably and use the share in the guest. That tends to involve following 'real' tutorials about how to use the individual application which usually touch on sharing / over the network is a poor idea. Plus the pages at the end about configuration for large applications.

Docker tutorials can be as small as "copy this image and run with this line, ta-da!". No thought or configuration necessary. It's easy for someone who's followed to think "I want other files not in the list" and then share there whole pc without any understanding of the dangers. Or have a unscrupulous tutorial give them a line already doing so, as docker does all that for you. Conversely it's not possible for anything in a VirtualBox guest to be able to create shared files on the host. I have to manually set that up.

It took me 1 minute of reading before i understood that "images" are not pictures, but disks you run in vm. This title really supposes that everyone knows what docker is, but i gues that is a big overestimation of the audience.

It took me 1 minute of reading before i understood that "images" are not pictures, but disks you run in vm. This title really supposes that everyone knows what docker is, but i gues that is a big overestimation of the audience.

Sorry to be "that guy" but that's how I usually feel reading non-IT science articles in Ars so I always assume that the fault is in my ignorance or lack of knowledge if you prefer.

Just this once I understood everything that was going on!!

P.S. As I said above I agree we need another word for this "images". Ideas?

so Docker hub (like all the other repo's npm, rubygems, nuget, Maven central etc) don't curate content (although in Docker hub's case they do provide "official" images which are reviewed)

The issue isn't the fact that somebody uploaded malware. As you say, that sort of thing happens all the time.

The issue is that the owners of the repository were told about the malware, and they did nothing about it for eight months.

That raises serious concerns about the hub - if they don't act promptly when they're told about these problems, it means that users of that hub are at serious risk. Sure, there's only so much they can do, but they're not doing even what I'd consider to be the bare minimum.

That's inexcusable, in my books - and that's what this is about. Not the malware in and of itself, but the lack of action.

so Docker hub (like all the other repo's npm, rubygems, nuget, Maven central etc) don't curate content (although in Docker hub's case they do provide "official" images which are reviewed)

The issue isn't the fact that somebody uploaded malware. As you say, that sort of thing happens all the time.

The issue is that the owners of the repository were told about the malware, and they did nothing about it for eight months.

That raises serious concerns about the hub - if they don't act promptly when they're told about these problems, it means that users of that hub are at serious risk. Sure, there's only so much they can do, but they're not doing even what I'd consider to be the bare minimum.

That's inexcusable, in my books - and that's what this is about. Not the malware in and of itself, but the lack of action.

So basically I'd try and avoid non-curated repositories if I were you then. That includes (but is not limited) to npm, rubygems, PyPi, Docker hub, Maven Central and of course Github.

The reality of the matter is that none of the organizations or individuals running software repositories has the resources required to review the content of their systems.

You could say "hey they could respond to reports", sure but what's one person's malware is another person's legitimate business tool.

So for example if I package up a penetration testing tool like Metasploit and put it on Docker hub, is that malware? It can definitely be used by attackers, but it's also usuable by legitimate security testers.

What about a reverse shell in a docker image. Well again that's dual use...

So what way do the repo. owners fall. If they start trying to adjudicate what's allowed in terms of content, they're going to have to sink a load of money into that.

Now for Docker hub maybe they have the cash, but what about things like Rubygems, which is (AFAIK) largely a volunteer effort.

so Docker hub (like all the other repo's npm, rubygems, nuget, Maven central etc) don't curate content (although in Docker hub's case they do provide "official" images which are reviewed)

The issue isn't the fact that somebody uploaded malware. As you say, that sort of thing happens all the time.

The issue is that the owners of the repository were told about the malware, and they did nothing about it for eight months.

That raises serious concerns about the hub - if they don't act promptly when they're told about these problems, it means that users of that hub are at serious risk. Sure, there's only so much they can do, but they're not doing even what I'd consider to be the bare minimum.

That's inexcusable, in my books - and that's what this is about. Not the malware in and of itself, but the lack of action.

It's worth remembering it's free hosting. Your not paying them for their service.

I'm not saying I agree with it taking so long, I don't, just pointing out that complaining the free thing someone does for you isn't up to your standards isn't a particularly strong negotiating position.

P.S. As I said above I agree we need another word for this "images". Ideas?

Good luck with that!

The term "image" for "a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc or USB flash drive." (straight from Wikipedia) is simply too engrained. It doesn't just apply to docker, as this definition shows.

Have you installed an operating system from an ISO image? Spun up a virtual machine from an OVA/OFV image? Or created a container from a Docker image?

They're all in some way related concepts as per the definition. So, you'd have to try and find a new term that still encompasses them all.

I wouldn't know where to even start. (stop throwing Thesauri at me, you know what I mean!)

EDIT: I saw you proposed snapshot in your earlier post. Sadly, that term is already taken in yet another but similar context. A snapshot is sort of the reverse: you "freeze" a running operating system, program, data store, what-have-you at a point in time. Allowing you to return to that point in time or create a copy starting at that point in time which may then diverge from your "original". The point is that snapshots are taken off mutable environments: you grab a moment in the always changing system. Whereas one of the points of containers is their *im*mutability: you can quickly throw away a container and spin up a new one in moments from the image. That makes them ideal for load balancing, high availability and a plethora of enterprise requirements.

Yeah, I too was confused by "images" in the headline and subhead. I was afraid there was some weird steganography-malware shenanigans going on with the perfectly normal shoes/casual khakis photo collection I've been amassing.

Reading the headlines the first thing that came to my mind was some kind of obscure exploit in a popular picture file format like JPEG or PNG being used to run arbitrary code. Only after reading thru the article I realized it was some kind of application image (I wasn't familiar with the Docker concept but thanks for the several explanations above from others readers now I have some grasp on the subject).

Would I be down-voted into oblivion if I advocated that Monero, the Bitcoin bullshit that seems to be supported entirely by using other people's computers for their own gain, be regulated into oblivion?

Or is there some redeeming value to it that makes that idea bad?

A better idea would be the cryptocurrency itself to provide ways to be regulated by their users. Like some traceability and mechanisms to expose frauds or misuse.